CVE-2026-4602
Published: 23 March 2026
Summary
CVE-2026-4602 is a high-severity Incorrect Conversion between Numeric Types (CWE-681) vulnerability in Jsrsasign Project Jsrsasign. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of flaws like the negative exponent handling bug in jsrsasign by upgrading to version 11.1.1 or later.
Requires scanning for vulnerabilities such as CVE-2026-4602 in jsrsasign and timely remediation to prevent exploitation.
Enforces validation of inputs to cryptographic functions like modPow to block negative exponents and mitigate incorrect modular inverse computations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in modPow enables remote supply of crafted negative exponent input to trigger incorrect RSA computations, directly resulting in application crashes/hangs (A:H) via exploitation of the crypto library implementation.
NVD Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with…
more
a negative exponent.
Deeper analysisAI
CVE-2026-4602 affects versions of the jsrsasign JavaScript package prior to 11.1.1, specifically due to an Incorrect Conversion between Numeric Types (CWE-681) in the ext/jsbn2.js component. The flaw arises from improper handling of negative exponents in the modPow function, which leads to the computation of incorrect modular inverses. This vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
An unauthenticated remote attacker can exploit this vulnerability by supplying a negative exponent to the modPow function in an application using the affected jsrsasign library. Successful exploitation forces incorrect modular inverse calculations, enabling the attacker to break RSA signature verification processes. While this disrupts cryptographic operations, the primary impact is high availability disruption, such as application crashes or hangs, without direct confidentiality or integrity violations.
Mitigation involves upgrading to jsrsasign version 11.1.1 or later, where the issue is addressed via a commit (5ea1c32bb2aa894b4bd29849839afe4f98728195) and pull request (#650) that fix negative exponent handling in jsbn2.js. Security advisories from Snyk (SNYK-JS-JSRSASIGN-15371175) and related GitHub resources confirm the patch and recommend immediate updates for applications relying on this library for cryptographic operations.
Details
- CWE(s)